Buhtrap Gang Steals Millions From Russian Banks

The cybercriminal gang known as Buhtrap has stolen $25 million from 13 Russian banks over a six-month period, according to a report published on Thursday by Russia-based security firm Group-IB.

Buhtrap is believed to have been active since 2014, but their attacks focused on the customers of Russian banks until August 2015. The first attack targeting financial institutions directly was spotted in August 2015, and over the next months the group sent out spear-phishing emails to many organizations.

The emails carried a malicious Word document designed to download the Buhtrap malware, which opens a backdoor on the infected machine and allows attackers to log keystrokes, steal clipboard data, view and control the victim’s screen, and download other malware.

The group later started using a worm, dubbed by Group-IB BuhtrapWorm, which allowed attackers to remain in the targeted corporate network as long as at least one computer was infected.

In attacks aimed at Russian banks, the gang targeted workstations running a free application called Automated Working Station of the Central Bank Client (AWS CBC). The attackers replaced legitimate payment orders in AWS CBC with their own so that money would be sent to accounts they controlled instead of the legitimate recipient.

Group-IB believes the group has stolen $25 million (1.8 billion RUB) from 13 Russian banks between August 2015 and February 2016. Experts estimate that the lowest amount stolen from a Russian bank is $370,000 (25 million RUB), and the highest amount is close to $9 million (600 million RUB). Researchers could not determine the damage caused by the attackers to banks in Ukraine.

The source code for an earlier version of Buhtrap was leaked on an underground forum in February 2016 by an individual claiming to be one of the malware’s authors. Researchers believe the leak could lead to an increase in the number of attacks using this threat.

Group-IB is not the only security firm monitoring Buhtrap’s activities. ESET published a report on the cybercrime group in April 2015, and, last month, Symantec said it observed the actor targeting the employees of at least six Russian banks.

In its report on Buhtrap, Group-IB noted that the attacks were not sophisticated and they could have easily been detected and blocked had the targeted organizations taken basic security measures, such as keeping their systems up to date and educating their employees about phishing attacks.

Russian banks are increasingly targeted by cybercriminals. Other groups that have caused significant losses to financial institutions in the country by leveraging clever techniques are Carbanak (Anunak), Metel (Corkow) and GCMAN.